Recently Compromised Websites Could Launch Attack Anytime

Security researchers at the SANS Internet Scam Center (ISC) have cautioned against a new SQL injection-like attack, which has hacked a considerable number of sites.

The injected harmful code is obfuscated inside the database employing a strange method which involves calling the CAST () function twice to convert the string between different character sets.

Manuel Humberto Santander Peláez, the ISC handler who examined the compromise, states that this attack tries to update every varchar column present in the database to append the iframe text shown. This has proved to be an enormous and successful attack, as per the news by Softpedia on August 16, 2010.

As per the security experts, looking for domains with IFRAME gives an idea about the impact, but no concrete evidence of the scale was found. For instance - Bing shows nearly 22,000 domains affected by the automated attack, whereas Yahoo counts almost 23,000. Google, on the other hand, shows 535,000.

To make things worse, the attack is using a domain on a bulletproof server out of China, making it almost impracticable to knock offline. nemohuildiin.ru (a domain) is hosted in China on one of the familiar bulletproof hosts, AS4134 (China Net). Earlier, this domain has linked with harmful mails of the Xerox WorkCentre Pro document scans. As per the Zeus tracker, the domain works as an active Command and Control (C&C) Server for the Zeus botnet.

A fascinating aspect is that presently there is no payload served by the rogue php script on the nemohuildiin.ru domain, which is unusual for a new attack. This implies that the hacked sites are waiting in standby and could begin serving harmful content to their visitors at any point of time.

There is a strong possibility that the SQL injections will revamp to a scaled attack on users, as the compromised websites have a wide reach, including both the government and private domains. However, this is questionable.

Meanwhile, the security experts stated that the moral of the story is that web masters should monitor web applications for data input vectors, and ensure that details submitted is safe and disinfected. Home users should periodically check to make sure that their antivirus and other security applications are updated.

Dear Reader

We are happy to see you are reading our IT Security News.

We do believe, that the foundation for a good work environment starts with fast, secure and high performing computers. If you agree, then you should take a look at our Business Solutions to Spam Filter & Antivirus for even the latest version of Exchange Servers - your colleagues will appreciate it!